Zero-Day Vulnerabilities: Exploitation Trends and Lessons Learned

Posted on May 1, 2025

Author: Doug Britton

Zero-day vulnerabilities are one of the most significant threats facing enterprises and critical infrastructure. These unknown software flaws, which attackers can exploit before patches become available, pose substantial risks to essential systems, operations, and sensitive data across industries.

In 2024 alone, security researchers at Google tracked 75 zero-day vulnerabilities exploited in the wild. Particularly alarming is that 44% of these targeted enterprise products, highlighting how attractive zero-day vulnerabilities are to cybercriminals and nation-state threat actors. For example, we’ve seen how Volt Typhoon and Salt Typhoon have specifically targeted operational technology (OT) systems through unpatched vulnerabilities.

Whether we’re considering weapons systems, critical service providers, security vendors, or others, nation-states and other malicious actors have their eyes on zero-day flaws as a means to cause widespread damage and disruption.

What Are Zero-Day Vulnerabilities and Why Are They Exploited?

A zero-day vulnerability is a flaw in software that is unknown to the software’s developers or vendors. Because no patch exists to correct the flaw, attackers can exploit it to gain unauthorized access to systems, disrupt operations, or steal sensitive data. Zero-day attacks are especially dangerous because they target unsuspecting systems, leaving defenders without sufficient time to react until after the vulnerability is discovered and addressed.

Attackers exploit zero-day vulnerabilities for several reasons:

Access to critical systems: Whether targeting enterprise networks or OT environments, attackers can exploit zero-day vulnerabilities to bypass security controls and gain unauthorized entry.
Widespread impact: Exploiting a zero day in commonly used software or widely deployed systems can lead to mass compromise.
Advantage in intelligence gathering: Nation-state threat actors frequently use zero days to extract sensitive intelligence, setting the stage for future attacks.
Disruption: Threat actors utilize zero-day exploits as a weapon to disrupt operations, with the potential for significant financial and operational repercussions.

Recent Trends in Zero-Day Exploitation

The growing risk of zero-day vulnerabilities stems from several key factors, like the rise in interconnected devices and the wider use of open-source software. Here are some important trends to keep in mind.

1. Enterprise Software in the Crosshairs

Of the 75 zero days exploited in 2024, 44% targeted enterprise systems. Specific cases include:

Ivanti VPN Zero Days: Ivanti’s Connect Secure VPN devices became a notable target for attackers, with seven zero days discovered, including CVE-2025-0282, which allowed remote code execution. Attackers used these vulnerabilities to inject malware into corporate networks.
Palo Alto Networks PAN-OS: A command-injection exploit allowed attackers to bypass security controls in enterprise firewalls, exposing sensitive environments to intrusions.

Such examples underscore the need for enterprises, as high-value targets, to proactively address vulnerabilities across their technology stacks.

2. Supply Chain Attacks: The Multiplier Effect

Attackers increasingly target software supply chains, exploiting vulnerabilities at the development stage. For instance:

MOVEit Transfer and Jenkins Vulnerabilities: A critical path traversal flaw (CVE-2024-23897) within Jenkins could result in arbitrary code execution. If exploited, attackers gain opportunities to insert malware into countless downstream applications.

Supply chains present an ideal target because a single vulnerability in shared components can impact thousands of users across industries.

3. Embedded Software Under Fire

Embedded systems used in everything from medical devices to automotive software share a unique risk in terms of zero-day vulnerabilities due to their reliance on C/C++ code. Research shows that 70% of vulnerabilities in compiled code are memory safety issues, such as buffer overflows and use-after-free errors. Attackers favor these flaws because they are difficult to detect and can cause major disruptions.

Key embedded-system sectors targeted include:

Industrial Control Systems (ICS) and Operational Technology: Attackers compromise OT environments in critical infrastructure, potentially causing large-scale service disruptions.
Automotive Software: Vulnerabilities found in connected vehicles could allow attackers to take control of core functions or extract user data.
Medical Devices: Unauthorized access to medical device software can compromise patient treatment and safety.

Ways to Defend Against Zero-Day Vulnerabilities

While it’s impossible to eliminate all vulnerabilities, organizations can take proactive steps to reduce their exposure to zero-day exploits. Below are actionable recommendations for enterprises and developers:

1. Adopt a Zero Trust Architecture

Zero trust assumes no implicit trust between systems. By applying strict access controls and continuously verifying users and devices, enterprises can minimize the impact of zero-day breaches.

2. Perform Dynamic and Static Analysis

Dynamic application security testing (DAST) and static application security testing (SAST) tools can identify vulnerabilities before they’re exploited. Automated testing provides invaluable insights into weak spots.

3. Deploy Runtime Protections

Solutions like runtime exploit prevention can defend applications against zero-day exploitation in live environments. For embedded systems, tools like RunSafe Protect are ideal for neutralizing memory safety vulnerabilities, providing real-time defense against exploits.

4. Strengthen Vulnerability Management Programs

A thorough vulnerability management program helps organizations prioritize high-risk systems, improve patch timelines, and reduce attack surfaces. An important starting point is to generate comprehensive SBOMs that provide visibility into software components.

5. Assess Total Zero-Day Exposure

The Google report found that use-after-free errors, command injection, and cross-site scripting (XSS) were the most frequently exploited vulnerability types. Deploying secure coding practices is one way to address these issues and minimize the number of zero-day vulnerabilities in code.

In the case of memory safety vulnerabilities, understanding potential zero-day exposure through tools like RunSafe’s Risk Reduction Analysis gives organizations unprecedented visibility into their vulnerability landscape. By analyzing return-oriented programming (ROP) chains, the analysis quantifies memory-based zero days and how much organizations can reduce risk when implementing targeted protections where they matter most.

Lessons Learned from Recent Zero-Day Incidents

The continued use of zero days by nation-state actors underscores the importance of adopting a proactive approach to security. Lessons include:

Memory safety matters: With many recent exploits stemming from memory flaws, securing codebases in languages like C/C++ is paramount. Runtime protections defend new and legacy code to prevent attackers from taking advantage of these flaws.
Supply chain hygiene is critical: Minimizing risk in software supply chains requires vetting third-party code carefully and implementing Software Bills of Materials (SBOMs) to identify and address potential weaknesses.
No one is immune: Enterprises, operational technology vendors, and critical service providers alike must address their unique attack surfaces to avoid becoming the next victim of a zero-day exploit.

Gaining the Upper Hand Against Zero-Day Attacks

Nation-state actors and sophisticated criminal groups continue to leverage zero-day vulnerabilities because they consistently deliver results. The Ivanti exploits and other critical vulnerabilities throughout 2024 reinforce the need for secure coding practices and security solutions that take away attackers’ ability to exploit software flaws.

Visibility is also an important way to level the playing field. We know that memory safety flaws remain a predominant source of zero-day exploits. Tools like RunSafe’s Risk Reduction Analysis give organizations the ability to quantify their exposure to CVEs and memory-based zero days.

By analyzing an SBOM or binary, the tool gives organizations visibility into weak spots in their software and the ability to apply remediations before attackers exploit them, transforming their security posture from reactive to proactive. When it comes to zero-day vulnerabilities, knowledge isn’t just power. It’s protection.

The EU Cyber Resilience Act (CRA) Exposed: What You Need to Know Now

May 20, 2025

The EU Cyber Resilience Act (CRA) is set to transform the landscape of cybersecurity compliance for manufacturers, developers, and supply chain providers across Europe—and its impact will be felt far beyond the EU’s borders. While the EU CRA won’t be fully enforced...

Ransomware in OT Environments: A 2025 Perspective

May 16, 2025

Operational technology (OT) ransomware attacks have escalated to crisis levels in 2025. A recent FBI report revealed a 9% increase in ransomware attacks targeting U.S. infrastructure in 2024, with more than 1,300 complaints linked to critical sectors like energy,...

Driving Innovation Safely: 5 Ways to Secure Software-Defined Vehicles

May 13, 2025

With millions of lines of code and hundreds of software programs managing everything from autonomous systems to braking, software security is now an undeniable component of vehicle safety. The challenge for the industry is balancing rapid innovation with stringent...